I was playing around with Stripe's source code for last year's CTF,
and from what I could see online, most people solved Level 4 by using XSS in
the password field. But look at the following line in srv.rb:

Turns out there is a hole here as well due to the way Ruby treats the ^ and
$ metacharacters. According to the documentation, the ^ anchor
matches the beginning of a line, instead of the entire string. Thus